Analyze DHCP Server Log Files
Applies To: Windows Server 2008
Analyzing server log files
In Windows Server 2008, DHCP server log files are designed to use audit logging to permit log files to remain enabled for use without additional monitoring or administering to manage log file growth or conserve disk resources. DHCP audit logs are located by default at %windir%\System32\Dhcp.
The following section outlines the format of these log files and how they can be used to gather more information about DHCP Server service operations on the network.
DHCP server log file format
DHCP server logs are comma-delimited text files with each log entry representing a single line of text. Following are the fields (and the order in which they appear) in a log file entry:
ID, Date, Time, Description, IP Address, Host Name, MAC Address
Each of these fields is described in detail in the following table:
Field | Description |
---|---|
ID |
A DHCP server event ID code. |
Date |
The date on which this entry was logged on the DHCP server. |
Time |
The time at which this entry was logged on the DHCP server. |
Description |
A description of this DHCP server event. |
IP Address |
The IP address of the DHCP client. |
Host Name |
The host name of the DHCP client. |
MAC Address |
The media access control address used by the network adapter hardware of the client. |
DHCP server log: Common event codes
DHCP server audit log files use reserved event ID codes to provide information about the type of server event or activity logged. The following table describes these event ID codes in more detail.
Event ID | Description |
---|---|
00 |
The log was started. |
01 |
The log was stopped. |
02 |
The log was temporarily paused due to low disk space. |
10 |
A new IP address was leased to a client. |
11 |
A lease was renewed by a client. |
12 |
A lease was released by a client. |
13 |
An IP address was found in use on the network. |
14 |
A lease request could not be satisfied because the address pool of the scope was exhausted. |
15 |
A lease was denied. |
20 |
A BOOTP address was leased to a client. |
DNS dynamic update events
When the DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients, you can use the DHCP audit logs to monitor update requests by the DHCP server to the DNS server, DNS record update successes, and DNS record update failures. The following event IDs are used for DNS dynamic update events:
ID number | DHCP Event |
---|---|
30 |
DNS dynamic update request |
31 |
DNS dynamic update failed |
32 |
DNS dynamic update successful |
The IP address of the DHCP client computer is included in the DHCP audit log so you can track the source in the event of a denial of service attack.
DHCP server logs: Server authorization events
The following are additional server log event ID codes and descriptions. These events can appear in logs made by DHCP servers running Windows Server 2008. They pertain to the applicable DHCP server and its authorization status when deployed in Active Directory environments.
Event ID | Description |
---|---|
50 |
Unreachable domain The DHCP server could not locate the applicable domain for its configured Active Directory installation. |
51 |
Authorization succeeded The DHCP server was authorized to start on the network. |
52 |
Upgraded to a Windows Server 2008 operating system The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. |
53 |
Cached Authorization The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network. |
54 |
Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped. |
55 |
Authorization (servicing) The DHCP server was successfully authorized to start on the network. |
56 |
Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again. |
57 |
Server found in domain Another DHCP server exists and is authorized for service in the same domain. |
58 |
Server could not find domain The DHCP server could not locate the specified domain. |
59 |
Network failure A network-related failure prevented the server from determining if it is authorized. |
60 |
No DC is DS Enabled No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required. |
61 |
Server found that belongs to DS domain Another DHCP server was found on the network that belongs to the Active Directory domain. |
62 |
Another server found Another DHCP server was found on the network. |
63 |
Restarting rogue detection The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network. |
64 |
No DHCP enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following:
|
Example: Excerpt from a sample DHCP server audit log
The following is a brief excerpt of sample log activity from an audit log generated by the DHCP Server service:
ID Date,Time,Description,IP Address,Host Name,MAC Address
00,04/19/99,12:43:06,Started,,,
60,04/19/99,12:43:21,No DC is DS Enabled,,MYDOMAIN,
63,04/19/99,12:43:28,Restarting rogue detection,,,
01,04/19/99,13:11:13,Stopped,,,
00,04/19/99,12:43:06,Started,,,
55,04/19/99,12:43:54,Authorized(servicing),,MYDOMAIN,
In this sample, the DHCP server could not be authorized when initially started and is subsequently stopped. After it is authorized, the server is then able to start and service clients.